PrivacyGuard: Exploring Hidden Cross-App Privacy Leakage Threats In IoT Apps
Authors: Zhaohui Wang (The University of Kansas), Bo Luo (The University of Kansas), Fengjun Li (The University of Kansas)
Volume: 2025
Issue: 1
Pages: 776–791
DOI: https://doi.org/10.56553/popets-2025-0040
Abstract: The increasing use of the Internet of Things (IoT) technology has made our lives convenient, however, it also poses new security and privacy threats. In this work, we study a new type of privacy threat enabled by cross-app chains built among multiple seemingly benign IoT apps. We find that interactions among apps could leak privacy-sensitive information, e.g., users' identification, location and tracking, activity patterns, etc. To tackle this challenge, we introduce PrivacyGuard, which extracts cross-app chains in the form of trigger-condition-action rules and identifies the corresponding privacy leakage risk with an inference probability. PrivacyGuard supports a fine-grained categorization of privacy threats to generate detailed alerts about privacy leakages. We evaluated PrivacyGuard on a dataset with 2,101 SmartApps, 2,788 IFTTT rules, and 2,086 OpenHAB rules, respectively. The results show that PrivacyGuard could uncover hidden privacy leaks that existing studies fail to detect. For example, 7.67% chains constructed by two seemingly benign IoT apps could leak at least one type of privacy information, while over 80% of the leaks involved privacy information regarding Localization & Tracking and Activity Profiling.
Keywords: IoT security and privacy, privacy leakage, IoT app privacy
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
